Adding Sophos email appliance using existing cisco asa5510

I am currently using a Cisco ASA5510 with NAT confogured for passinfg to my email server. Remote users use OWA for email access. This all works fine now. I am installing a Sophos email appliance. If I chnage the internal NAT address to that of the email appliance I lose OWA access. I could configure OWA on another external address and set up the rules accordingly but I am trying to use the existing external address to avoid having to redo the OWA shortcut on all 100 laptops in the field. Any ideas how I can make the existing addressing and config work?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
It sounds like you are doing single NAT for the entire IP.  You need to send port 443 to the OWA server and only 25 to the new appliance.  Are you using ASDM or CLI to modify the ASA?
Justin EllenbeckerIT DirectorCommented:
This command will NAT all traffic for an IP:

static (inside,outside) X.X.X.X 192.168.X.X netmask

This will NAT for just one port (443 or HTTPS):

static (inside,outside) tcp X.X.X.X https 192.168.x.x https
sdoughtyAuthor Commented:
I generally use ASDM and yes it is a single NAT for the entire IP
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Justin EllenbeckerIT DirectorCommented:
Ok then when you create the NAT statement in ASDM just make sure you check the box for enable Port Address Translation.  It should be in the same screen where the rule is created.  Just create a new static NAT entry and then you can select TCP from the drop down and the service which for OWA is HTTPS.  You should be able to even change the current static rule and then copy it and just change the port on the new one.
sdoughtyAuthor Commented:
PAT is enabled on the outside interface ip. There is another staic NAT for an IP address within that range IP range pointing to the email server. Should I recreate the static NAT currently to the email server and make it dynamic. The outside interface is configured as Pool 1. PAT using the IP address of the interface.
Justin EllenbeckerIT DirectorCommented:
Can you post a screen shot of your NAT screen please I am kind of confused as to what you are talking about? Dynamic is for like when people browse the web and things usually not for this type of implemtation.  If you only have 1 external IP thats fine a Static NAT on the inside interface will need to be created.  If you look at the columns in the asdm you will see the real heading.  That will have the source as your exchange server or the appliance and the destination as any.  Under the translated heading the interface will be outside and the address will be the external IP.  Under both the source and address you will see the TCP https arrow.  Here is a screen show of what a rule looks like in my ASDM for doing PAT and sending all https traffic to our exchange server for OWA.  You will also notice the dynamic which is used for normal web browsing.
sdoughtyAuthor Commented:
Here is a modified screenshot of the NAT screen.
sdoughtyAuthor Commented:
I should remove
static (inside,outside) X.X.X.X Email_Server netmask

And replace with 2 entries

static (inside,outside) tcp X.X.X.X 443 192.168.x.x 443 and
static (inside,outside) tcp X.X.X.X smtp or 25 192.168.x.y smtp or 25

Is this correct?
Justin EllenbeckerIT DirectorCommented:
Yes, that is correct with 192.169.x.x being your exchange server for OWA and 192.168.x.y being your Appliance.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sdoughtyAuthor Commented:
Thank you I will give that a try later after hours and test.
sdoughtyAuthor Commented:
Thank you for all your help. Everything is working perfectly now. Sometimes too much is read into an issue and a second set of eyes is a tremendous help.
A old question I know, but I am having similar issues. I have a ASA 5520 asdm 5.2
I have exchange 2010. I am trying to use the encryption email on the Sophos appliance. The problem I am having is that the Sophos is asking to connect to, but yet it is saying connection refused. I also have postini setup for inc. mail.

I have tried creating static rules for Sophos, allowing smtp to go out on a ext address. That fixed my issue of the Sophos failing the network test. Now I am trying to see this secure site that the Sophos set, but no matter what I try I cannot get it to go.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.